Noise Protocol Handshake (Stratum V2)

Every Stratum V2 connection is encrypted and authenticated by a handshake built on the Noise Protocol Framework. This is one of the most visible upgrades over Stratum V1, whose plaintext traffic let network observers steal hashrate, spy on a miner, or tamper with jobs in transit. Stratum V2 closes that hole before any mining message is exchanged.

The Noise_NX pattern

Stratum V2 uses the Noise_NX handshake pattern, augmented with a simple two-level public-key infrastructure for server authentication. It runs in three acts: the initiator sends an ephemeral public key; the responder replies with its own ephemeral key, an encrypted static key, and a signed certificate; the initiator then validates that signature to confirm it is talking to the genuine server. Once complete, both sides share symmetric keys and all subsequent traffic is encrypted.

Cryptographic primitives

The handshake uses Bitcoin's own secp256k1 curve for key generation and ECDH, with public keys serialized using ElligatorSwift so the bytestream looks pseudo-random to observers, while certificates use 32-byte x-only keys per BIP340. ChaCha20-Poly1305 in AEAD mode is the default cipher, providing both confidentiality and integrity, and SHA-256 is the hash function. Server identity is anchored by a Pool Authority key, distributed through a trusted channel such as the pool's website, which signs the server's certificate and lets the miner reject man-in-the-middle impostors.

This encrypted channel is what every Stratum mining channel rides over, and it protects the work negotiated through the Job Declaration Protocol from interception.